So we have just been advised the KB article regarding user level mdm, which is needed to deploy VPP apps to lab machines or local users. https://www.jamf.com/jamf-nation/articles/372/enabling-mdm-for-local-user-accounts
Will break DEP enrolment on Macs.
As we have found out now 10.13.4 has been released and we need to Profiles for KEXT Approval.
To be fair to JAMF they did update the KB article to state the following.
Note: For computers with macOS 10.13.2 and later, this workflow for enabling MDM for local user accounts will reset any previous User Approved MDM Enrollments. If you use this as a part of existing ongoing workflows, you should evaluate the impact of these changes.
However not having looked at the KB article for some time. I would have loved to see more about this in release notes
On the latest 10.3 version of the JSS they added an inventory collection item Enrolled via DEP:
this is populated by running the command
profiles status -type enrollment
However if you have at any point run the command jamf mdm -userLeveMdm
This will set your machine back to the equivalent of user based enrolment.
Which means if you try and deploy a profile that requires user approved or DEP. it will fail
So as a concept to get machine back into DEP enrolment Status I have done some basic testing to get it back done to as zero touch as possible
Make sure the Global Setting > Re-enrollment are all un-ticked and the drop down is "Clean Nothing"
Disable your policy's which do the -userLevelMdm command
Create a new Pre-stage enrolment profile for re-enrollment
General > Don't require Auth
General > Make MDM Profile Mandatory
General > Skip All Steps on setup window
Account Settings > Skip Account Creation
Create a policy to remove /var/db/.AppleSetupDone and restart the machine.
Upon restart you will go through the setup assistant and have to agree to as few things as possible.
Once you have confirmed and re-enrolled all devices you will want to change back the settings changed in items 1 and move devices back to original pre-stage enrolment
Wow... just wow...
This past year I really feel like Apple has lost the plot on macOS..
UAMDM, Kext blocking, deprecating of imaging, deprecation of OS X Server and SUS, firmware updates only installable through macOS Install, encouragement to abandon AD, Configuration Profiles that trade the subtlety of MCX with it's Once, Often, Always for the blunt knife they've become... After spending the past couple months trying to plan our migration of 3500 Macs to High Sierra over the summer, this will be the first time in over a decade that we will be redeploying the previous year's OS. Even worse, we're starting to think about abandoning the platform altogether as it's getting almost impossible to manage with any kind of predictability.
So, this is not DEP specific: running "jamf mdm -userLevelMdm" on a 10.13.x Mac which has UAMDM enabled will RESET the UAMDM status. 'Effing hell, Jamf and Apple! HELL!
It also appears to change Enrolled via DEP from Yes to No for our DEP enrolled Macs when our first local admin user is logged in for the first time and a VPP app is deployed automatically. We've had to turn off automatic VPP app installation all together until we figure out a workaround.
It seems to me that the issue stems from our first local admin user not getting classified as "MDM Capable" at creation by the pre-stage enrollment.
I've had about half of my 10.13 systems enrolled via DEP lose their "Enrolled via DEP" status in Jamf inventory. I also have a single VPP app automatically deployed to all systems but I honestly don't know what variables are contributing to this problem. End result is this is beyond annoying.
My issues were originating from VPP apps set to automatically install while our local admin was logged in. We fixed this by adding our local admin account to the exclusion list for these VPP apps.